Nmap Development: Re: [NSE] http-slowloris, check if a webserver is prone to the Slowloris DoS attack

[Gutek <ange.gutek () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi list,
Here is an update about my slowloris attack script(*).
The major update is the monitoring of the pending attack, and the
current target's health. Slowloris could be by design a very long
attack(**), hence this script should be lauchned with, at least, -d
At the first level (-d1) the user will have a report from time to time
with the main interesting datas: is the target still up, significant
target slowdown meaning that the attack is starting to hurt the
webserver and DoS successfull.
With a deeper -d value (-d2), we have additional informations such as
the number of effective concurrent connections (some will die when the
webserver will become critical) and live server response time: this
"heartbeat" is interesting to see if the attack is beginning to be
efficient.

The script works without the live infos provided by -d but again, as
this is attack could take hours or days depending on what the target can
handle I think that it is mandatory for the user to check what's going on.


Sample Output (nmap -n -PN -p80 --script http-slowloris -d2 <target>)

NSE: http-slowloris: target <host ip> is still
up...                                                                    
NSE: http-slowloris: (nil special to report so far...)

(only with -d2)
NSE: http-slowloris: 2 EFFECTIVE CONNECTIONS
NSE: http-slowloris: 3 EFFECTIVE CONNECTIONS
NSE: http-slowloris: 4 EFFECTIVE CONNECTIONS
NSE: http-slowloris: 5 EFFECTIVE CONNECTIONS
NSE: http-slowloris: 6 EFFECTIVE CONNECTIONS
NSE: http-slowloris: 7 EFFECTIVE CONNECTIONS
...
NSE: http-slowloris: target <host ip> is still up...

(starting to maintain the http connection by filling the header more and
more)
NSE: http-slowloris: HTTP stream started.
(only with -d2) NSE: http-slowloris: server responsive (306 ms).
(only with -d2) NSE: http-slowloris: server responsive (457 ms).
(only with -d2) NSE: http-slowloris: server responsive (860 ms).
(only with -d2) NSE: http-slowloris: SERVER SLOWING DOWN by 108 percent
(860 ms).

...
...
NSE: http-slowloris: target <host ip> is still
up...                                                                                      
 
NSE: http-slowloris: <host ip> has slowed down by 108%

(a bunch of socket errors as connections are going down)

NSE: http-slowloris: target <host ip> is still up...

(the script tries to replace broken connections)
NSE: http-slowloris: HTTP stream started.
(only with -d2) NSE: http-slowloris: SERVER SLOWING DOWN by 387 percent
(3733 ms).

(a bunch of errors, same reason)
NSE: http-slowloris: DoS CONDITION REACHED ! server down.

Nmap scan report for <host name> (<host ip>)
Host is up, received user-set (0.14s latency).
Scanned at 2011-04-10 08:09:40 CEST for 220s
PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-slowloris:
|   Target was DoSed:
|   the attack took +3m40s
|   with 32 concurrent connections
|_  with 66 queries sent
   

(*)

https://secwiki.org/w/Nmap/Script_Ideas#http-slowloris
(**)

http://ha.ckers.org/slowloris/


Regards,

A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk2hWf0ACgkQ3aDTTO0ha7hvUwCePLGzXlAZIS/Y32/gdg78tdil
UcEAn1CNj60rAQWGYgCVGO5pyP+Ij0Gu
=SfgB
-----END PGP SIGNATURE-----

Attachment: http-slowloris.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/